Galed Friedmann
2011-Oct-17 14:53 UTC
[Puppet Users] Reusing host names with puppet and SSL certificates
Hello all, I''m trying to figure some things out with SSL and would appreciate some help or best practices here. I''m implementing auto scaling over Amazon EC2 for some services I have, all of the instances are based on the same AMI and I''m using Puppet to configure the hosts when they come up to make sure they have the latest configuration, also I''m using some exported resources in order to configure other instances that need to use their details. My auto scaling environment is supposed to be dynamic and go up and down as needed, I also need to use host names that will differentiate one host from the other and have some ID. Currently when a host comes up it gets an ID between 1 and 25 (depends on what''s available) and comes up. My problem is that sometimes a node goes down, and then a new node comes up and takes it''s number (which is alright), but then puppetmaster refuses to let it come up because obviously it now has a different SSL certificate than the one that was previously up. Is there a best practice or a solution for this problem? I do need to use the same hostnames sometimes for instances that generate new certificates when they come up, I''ve been trying to clean the certificates once in a while for instances that are no longer responding but that didn''t go very well and I also understand that I need to restart the master in order for that to take effect which I don''t want to do. Once solution that I thought about is to generate a certificate for each hostname and make sure that when an instance comes up it gets the specific certificate that was already generated and signed by the master. Is this a good idea? Any other thoughts about this? Thanks, Galed. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8bVpwxZE_-IJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
James A. Peltier
2011-Oct-17 15:05 UTC
Re: [Puppet Users] Reusing host names with puppet and SSL certificates
----- Original Message ----- <snip>| | Is there a best practice or a solution for this problem? I do need to | use | the same hostnames sometimes for instances that generate new | certificates | when they come up, I''ve been trying to clean the certificates once in | a | while for instances that are no longer responding but that didn''t go | very | well and I also understand that I need to restart the master in order | for | that to take effect which I don''t want to do. | | Once solution that I thought about is to generate a certificate for | each | hostname and make sure that when an instance comes up it gets the | specific | certificate that was already generated and signed by the master. Is | this a | good idea? Any other thoughts about this? | | Thanks, | Galed. | I use server generated certificates and copy those certificates to the host upon re-install. Works very well for me. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier I will do the best I can with the talent I have -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Alexandre Fouché
2011-Oct-18 12:31 UTC
Re: [Puppet Users] Reusing host names with puppet and SSL certificates
As far as i could see, the Puppet cloud provisionner also generates a random name and creates a certificate request based on it. Then Puppet client is run with the certname option, set with this previously generated hostname 2011/10/17 James A. Peltier <jpeltier@sfu.ca>> ----- Original Message ----- > <snip>| > | Is there a best practice or a solution for this problem? I do need to > | use > | the same hostnames sometimes for instances that generate new > | certificates > | when they come up, I''ve been trying to clean the certificates once in > | a > | while for instances that are no longer responding but that didn''t go > | very > | well and I also understand that I need to restart the master in order > | for > | that to take effect which I don''t want to do. > | > | Once solution that I thought about is to generate a certificate for > | each > | hostname and make sure that when an instance comes up it gets the > | specific > | certificate that was already generated and signed by the master. Is > | this a > | good idea? Any other thoughts about this? > | > | Thanks, > | Galed. > | > > I use server generated certificates and copy those certificates to the host > upon re-install. Works very well for me. > > -- > James A. Peltier > IT Services - Research Computing Group > Simon Fraser University - Burnaby Campus > Phone : 778-782-6573 > Fax : 778-782-3045 > E-Mail : jpeltier@sfu.ca > Website : http://www.sfu.ca/itservices > http://blogs.sfu.ca/people/jpeltier > I will do the best I can with the talent I have > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.